Phishing dilemma

Filed Under: SophosLabs, Spam

Phishing websites usually have a very short life span. They appear and disappear very quickly as administrators take them off-line as soon as they are reported.

It is relatively rare that the phisher, presumably by mistake, allows public directory listing on the compromised host. This omission happened in a phishing attack targeting the Italian Postal bank today. Curiously, I was able to access a plain text file containing details of all credentials entered by the site visitors.

The file contained less than 20 entries before the host was taken off-line with entries reflecting the fact that visitors knew this was a phishing website. I identified only one genuine entry and I am trying to contact the user to inform him that his details were stolen. The question is, should one log into the compromised account "pro-actively" and change the password preventing phishers from stealing money?

Phishing details - fake

At the moment, there is a large number of phishing attack targeting the Italian Postal bank, which does not surprise me as the level of their internet banking security is low. Only a username and password are required to login, which is ideal if one wishes to become a phishing target. Hopefully, the sheer number of attacks will force the bank to improve its authentication mechanism.


You might like

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.